Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

Download PDF
ID 683453
Date 3/06/2020
Public
Document Table of Contents
Document Table of Contents x
1. Overview 2. Intel® FPGA PAC Security Features 3. Intel FPGA PAC Security Flow 4. Using fpgasupdate 5. Document Revision History
1. Overview x
1.1. About This Document 1.2. Prerequisites 1.3. Related Documentation 1.4. Glossary
2. Intel® FPGA PAC Security Features x
2.1. Secure Image Updates 2.2. Anti-Rollback Capability 2.3. Key Management 2.4. Authentication 2.5. Encryption
3. Intel FPGA PAC Security Flow x
3.1. Installing PACSign 3.2. PACSign Tool 3.3. Creating Unsigned Images 3.4. Using an HSM Manager 3.5. Creating Keys 3.6. Root Entry Hash Bitstream Creation 3.7. Signing Images 3.8. Creating a CSK ID Cancellation Bitstream 3.9. PACSign PKCS11 Manager *.json Reference 3.10. Creating a Custom HSM Manager 3.11. PACSign Man Page
3.5. Creating Keys x
3.5.1. OpenSSL Key Creation 3.5.2. HSM Key Creation
3.7. Signing Images x
3.7.1. Creating OpenCL* Bitstreams
3.7.1. Creating OpenCL* Bitstreams x
3.7.1.1. Sourcing the init_env.sh Script 3.7.1.2. Creating the OpenCL* Bitstream 3.7.1.3. Programming the Image File
3.7.1.2. Creating the OpenCL* Bitstream x
3.7.1.2.1. Example: Creating a Signed .aocx File Using OpenSSL Manager 3.7.1.2.2. Example: Creating an Unsigned .aocx File Using OpenSSL Manager 3.7.1.2.3. Example: Creating a Signed .aocx File Using PKCS11 Manager 3.7.1.2.4. Example: Creating an Unsigned .aocx File Using PKCS11 Manager
3.10. Creating a Custom HSM Manager x
3.10.1. HSM_MANAGER.get_public_key(public_key) 3.10.2. HSM_MANAGER.sign(data, key) 3.10.3. Signing Operation Flow
3.10.1. HSM_MANAGER.get_public_key(public_key) x
3.10.1.1. PUBLIC_KEY.get_X_Y() 3.10.1.2. PUBLIC_KEY.get_permission() 3.10.1.3. PUBLIC_KEY.get_ID() 3.10.1.4. PUBLIC_KEY.get_content_type()
4. Using fpgasupdate x
4.1. Troubleshooting
1. Overview
2. Intel® FPGA PAC Security Features
3. Intel FPGA PAC Security Flow
4. Using fpgasupdate
5. Document Revision History

3.7.1.2.1. Example: Creating a Signed .aocx File Using OpenSSL Manager

Command syntax:

$AOCL_BOARD_PACKAGE_ROOT/linux64/libexec/sign_aocx.sh -H openssl_manager \
-i <path_to_input_file/input_filename.aocx> -r <rootpublickey.pem> \
 -k <cskkey.pem> -o <path_to_output_file/output_filename.aocx>

Example output, signing vector_add.aocx: 

$ $AOCL_BOARD_PACKAGE_ROOT/linux64/libexec/sign_aocx.sh -H openssl_manager \
-i vector_add.aocx -r ../openssl_keys_1_2_1/key_pr_root_public_key.pem \
-k ../openssl_keys_1_2_1/key_pr_csk2_public_key.pem -o signed_06_vector.aocx 

The script assumes the PACsign and Intel Acceleration Stack environment is setup. If not run the command : <stack_installation_path>/init_env.sh
hsm_manager=openssl_manager
aocx filename/path=vector_add.aocx
root_public_key=../openssl_keys_1_2_1/key_pr_root_public_key.pem
csk_public_key=../openssl_keys_1_2_1/key_pr_csk2_public_key.pem
output filename/path=signed_06_vector.aocx
openssl hsm_manager_options=openssl_manager 
input path =.
input filename =vector_add.aocx
output path =.
output filename =signed_06_vector.aocx
Extracted the filename as signed_06_vector 
1. Extracted the bin from the aocx 
2. Extracted the gzip compressed GBS file from the .bin
3. Uncompressed .gz it to get the GBS file
Initiating PACSign tool to sign the GBS. This process will take a couple of minutes...
Creating signed aocx file by signing the provided keys 
2020-01-06 16:08:20,125 - PACSign.log - WARNING - Bitstream is already signed - removing signature blocks
4. Signed the GBS 
5. Compressed the gbs file 
6. Added the signed gzip file to fpga.bin 
7. Added the fpga.bin file back into aocx file
The signed file signed_06_vector.aocx has been generated. Use the command aocl program <device_name> <filename>.aocx to program it on the FPGA card

The following message indicates that your output signed bitstream is successfully created: 

The signed file <output_filename>.aocx has been generated. Use the command aocl program <device_name> <filename>.aocx to program it on the FPGA card
Level Two Title